Setting Up An iptables Firewall: Part 6

It’s been a long journey, and we’ve learned a lot along the way. We’ve created a robust firewall configuration that includes proactive and reactive defenses, as well as incorporated advanced port knocking protections to guard our restricted services more strongly. Everything up until now, however, has been strictly IPv4; if your server is also on the IPv6 network, it is still wide-open to all! This post will be shorter than the others in this series, because all we’re doing is adapting our current IPv4 rules to IPv6.

The iptables command is specifically the IPv4 command; it has a nigh-identical IPv6 counterpart called ip6tables. There are also IPv6 counterparts of iptables-save and iptables-restore, called (shockingly) ip6tables-save and ip6tables-restore. Almost everything we have done through this series can simply swap in the ip6tables command instead of iptables, and set up your firewall that way.

In fact, they are so identical that the fastest way to get your IPv6 firewall up and running is to copy your /etc/iptables/rules.v4 file to /etc/iptables/rules.v6! That’s not quite all there is to it, however. If you’ve paid close attention to the file excerpts I have posted at the end of each previous post, you’ll notice I’ve left a few things out for the sake of readability; these omitted arguments don’t change the outcome because they are, in fact, the defaults, but there’s one such argument that we have to change here because it only works for IPv4: In many of your rules, you will see a --mask 255.255.255.255 argument. This is simply applying a bitmask to the IP address, and in this case is saying “match the entire address”. Fortunately, this happens to be a default, so the easiest way to fix these in your rules.v6 file to make it work for IPv6 is to simply delete every occurrence of --mask 255.255.255.255.

There’s still one more fix we have to make, but it’s a bit of a doozy. Our martians chain is, unfortunately, specifically addressing IPv4 martians. In addition to doing nothing to benefit our IPv6 firewall, these rules will actually fail to run at all, and cause the entire file to fail to be executed. We have to replace these rules with ones that will block IPv6 martians. Those look like this:

Swap those in for the entire list of -A martians rules from your IPv4 rules, and now we’re done adapting our firewall to IPv6! With your copied-and-updated rules.v6 file, you can simply run the command sudo ip6tables-restore < /etc/iptables/rules.v6 to build your IPv6 firewall into a matching state with your IPv4 one!

And with that, we already reach the end of this post. Your rules.v4 file should be no different from what you had at the end of Part 5, but now we have rules.v6 with this content: